The Week in Ransomware – February 12th 2021


This week we saw another ransomware shut down its operation and a significant attack against Cyberpunk 2077 game developer CD Projekt Red.

Another operation known as Ziggy Ransomware shut down this week and released the decryption keys for victims. This shut down was due to increased concern about law enforcement action after the disruption and arrests in the Netwalker Ransomware operation.

We also saw a major attack against game developer CD Projekt Red from a ransomware group called HelloKitty. During this attack, the threat actors claimed to have stolen the alleged source code for the Witcher 3 and Cyberpunk 2077 games, which threat actors later put up for auction on a hacker forum.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @BleepinComputer, @jorntvdw, @DanielGallagher, @Seifreed, @serghei, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @Ionut_Ilascu, @FourOctets, @malwareforme, @struppigel, @VK_Intel, @PolarToffee, @JakubKroustek, @M_Shahpasandi, @vxunderground, @BrettCallow, @chum1ng0, @Kangxiaopao. @Amigo_A_, @Intel_by_KELA, and @danusminimus.

February 7th 2021

Ziggy ransomware shuts down and releases victims’ decryption keys

The Ziggy ransomware operation has shut down and released the victims’ decryption keys after concerns about recent law enforcement activity and guilt for encrypting victims.

Albany ransomware attack threatens criminal cases

The 2019 ransomware attack on the city’s servers is now potentially affecting criminal cases after it was revealed that the city police department lost all digital copies of its 2018 internal affairs files.

New DarkWorld ransomware

xiaopao found a new ransomware called DarkWorld that appends the .dark extension and drops a ransom note named import.txt.


New Tortoise ransomware

Danus found the new Tortoise Ransomware that appends the .tortoise extension but does not appear to actually encrypt anything.

February 8th 2021

New DaddyCrypt JCrypt variant

xiaopao found a new JCrypt ransomware variant that appends called DarkWorld that appends the .daddycrypt extension and drops a ransom note named _RECOVER__FILES__.daddycrypt.txt.

February 9th 2021

New Dharma ransomware variants

Jakub Kroustek found new Dharma ransomware variants that append the .wcg.con30, and .text extensions to encrypted files.

CD PROJEKT RED gaming studio hit by ransomware attack

CD PROJEKT RED, the video game development studio behind Cyberpunk 2077 and The Witcher trilogy, has disclosed a ransomware attack that impacted its network.

Ransom note

HelloKitty ransomware behind CD Projekt Red cyberattack, data theft

The ransomware attack against CD Projekt Red was conducted by a ransomware group that goes by the name ‘HelloKitty,’ and yes, that’s the name the threat actors utilize.

New Matrix ransomware variant

xiaopao found a new Matrix ransomware variant that appends the .TRU8 extension.

February 10th 2021

French MNH health insurance company hit by RansomExx ransomware

French health insurance company Mutuelle Nationale des Hospitaliers (MNH) has suffered a ransomware attack that has severely disrupted the company’s operations. BleepingComputer has learned.

Hackers auction alleged stolen Cyberpunk 2077, Witcher source code

Threat actors are auctioning the alleged source code for CD Projekt Red games, including Witcher 3, Thronebreaker, and Cyberpunk 2077, that they state were stolen in a ransomware attack.


New Dharma ransomware variants

Jakub Kroustek found new Dharma ransomware variants that append the .word, and .LOTUS extensions to encrypted files.

New STOP Djvu variant

Michael Gillespie found a new STOP DJvu ransomware variant that appends the .ygkz extension to encrypted files.

New Android ransomware

MalwareHunterTeam found a new Android ransomware targeting users from Kazakhstan.

February 11th 2021

Avaddon ransomware fixes flaw allowing free decryption

The Avaddon ransomware gang has fixed a bug that let victims recover their files without paying the ransom. The flaw came to light after a security researcher exploited it to create a decryptor.

February 12th 2021

Seraing: the City hit by a cyber attack!

Last weekend, the city of Seraing reported that its services were temporarily inaccessible to the public and for a reason beyond its control. Indeed, since the computer network of the city of Seraing was the victim of a malicious attack! A complaint has been filed.

The Trigano company victim of a cyberattack, the Tournon-sur-Rhône plant shut down

The manufacturer of caravans, motorhomes, camping furniture and mobile homes was the victim of a cyberattack on Tuesday February 9. It prevents access to computers. The factory based in Tournon-sur-Rhône (Ardèche) is therefore at a standstill this Friday, February 12.

That’s it for this week! Hope everyone has a nice weekend!

You May Also Like…